[Samba] security = ads parameter not working in samba 4.9.5
Sérgio Basto
sergio at serjux.com
Thu Nov 28 20:01:40 UTC 2019
On Thu, 2019-11-28 at 10:21 +0000, Rowland penny via samba wrote:
> On 27/11/2019 23:57, Sérgio Basto wrote:
> > Thank you for the warning :) [1] , I'm fighting the same problem
> > but I
> > have a different configuration that I never told you before , I'm
> > running my centos 7 packages (very similar to other fellows) [2]
> > where
> > DC1 , DC2 and DC3 are running SambaAD, samba-4.8.8-2.el7.x86_64
> > with
> > BIND9_DLZ (bind-9.11.4-9.P2.el7.x86_64) .
>
> First things first, remove sssd, it is not supported with Samba.
>
> Next, stop network manager altering /etc/resolv.conf
>
> Make /etc/hosts look like this:
>
> 127.0.0.1 localhost
> ::1 localhost
> 172.27.28.1 ccdc1.corp.local
>
> Just change the DCs info to match the DC it is on
>
> /etc/resolv.conf should look like this:
>
> search corp.local
> nameserver 172.27.2.1
>
> Again match the IP to the DC.
>
> Remove these lines from smb.conf:
>
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
> You are breaking Samba by having them.
This recommendation , why ? wiki say to add it [1]
[1]
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Enable_Extended_ACL_Support_in_the_smb.conf_File
I tried these fixed , but noting change getent passwd and getent group
stops to work soon as I change change /etc/samba/smb.conf with
WORKGROUP
> Make /etc/named.conf look like this:
>
> options {
> directory "/var/named";
> dump-file "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> memstatistics-file "/var/named/data/named_mem_stats.txt";
> notify no;
> empty-zones-enable no;
> allow-query { any; };
> allow-query-cache { any; };
> forwarders { 8.8.8.8; 8.8.4.4; };
> allow-transfer { none; };
> dnssec-validation no;
> dnssec-enable no;
> dnssec-lookaside no;
> listen-on port 53 { 172.27.28.1; 127.0.0.1; };
> listen-on-v6 port 53 { ::1;};
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>
> };
>
> logging {
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> };
>
> zone "." IN {
> type hint;
> file "named.ca";
> };
>
> include "/etc/named.rfc1912.zones";
> include "/etc/named.root.key";
> include "/var/lib/samba/bind-dns/named.conf";
>
> The howto you ultimately linked to tells you to open ports 1024:5000
> in
> the firewall, thinks is now incorrect, you need to open ports 49152-
> 65535
>
> > REPO server is Domain_Member [3] with Idmap_config_ad, of DOMAIN
> > corp
> > and I'm testing with SambaAD-4.10.9 or 10 .
> >
> > What else ?
> > getent passwd and getent group just works with previous
> > configuration
> > and stop when I set the workgroup in idmap when you wrote "it MUST
> > be
> > workgroup not realm"
> >
> >
> > Notes on script :
> > Centos 7 dns configuration is on /etc/named.conf not in
> > /etc/bind/named.conf I had to hack a little the script and for dpkg
> > -l,
> > I replaced with rpm -qa
> >
> >
> > [1]
> > https://paste.centos.org/view/8d205024
> > https://paste.centos.org/view/bba5f6c4
> >
> > [2]
> > https://copr.fedorainfracloud.org/coprs/sergiomb/SambaAD/
> >
> > [3]
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> >
> Fix your DCs and see how you go on ;-)
>
> Rowland
>
>
>
--
Sérgio M. B.
More information about the samba
mailing list